26 October 2016

Recently, we wanted to start keeping track of users with mapped drives due to cryptolocker vulnerabilities. There are a few applications we have that require mapped drives, so we have certain users with them. Once again, I must say thank you to Sapien Technology for PowerShell Studio! That tool makes writing these PowerShell scripts a breeze.

This script will scan all user profiles on a machine and report users with mapped drives. This is done by parsing through the HKU registries. It has been written so that you can either have the script write the report to a text file if you do not have SCCM and/or it can write it to WMI so that SCCM can read the results. I have also included a UNCPathExclusionsFile parameter that allows you to create a text file that resides in the same directory as the script. It contains a list of UNC paths that you do not want the script to report. I recommend pre-populating the values of the $TextFileLocation and $UNCPathExclusionsFile parameters within the script. That just leaves the $OutputFile and $SCCMReporting left to specify at the command line.

If you are wanting this to write the results to SCCM, here is what you need to do. First, SCCM needs to know what to look for in order to report on it. This script will use WMI to report that data to SCCM. The first thing is to execute the script locally on any PC. Run it using the following command line: powershell.exe -file MappedDriveReport.ps1 -SCCMReporting

That command line will execute the script to scan for mapped drives write the results to WMI and then initiate a hardware inventory. Because the new WMI entry has not been added to SCCM, it will not be reported yet. Now that you have executed the script on the local machine, do the following:

Enter the computer name of the system you ran the script on, check recursive, check Credentials required (Computer is not local)---> <domain>\<username> in the username field, and finally the password for the associated username.

Click Connect

Click on the Class Name tab to sort by class name

Scroll down to find MappedDrives and check the box

Click OK

You have now added the WMI class to SCCM for it to grab the data from the PCs and report it back to SCCM.

To get the systems to report the data back to SCCM, you will need to setup a package, not an application, in SCCM to deploy out to the systems. I have the package setup to re-run once a week at 12:00 pm on Wednesdays so that I can get the most users to report back. More users are online at that time here than any of the other days.

If you read the .Example in the documentation portion of the script, you will see two examples on how to execute the script.

I have also included a hardware inventory within the script so the data will be reported back to SCCM right after the script is executed.

In order to view the data in SCCM, you can do the following using the Resource Explorer:

Right-click on a machine in the Assets and Compliance--->Devices

Click Start--->Resource Explorer

Click the plus beside Hardware

If a system had mapped drives, then there will be a mapped drives field, otherwise it does not exist.

You can also use the queries to report systems with mapped drives. Here is the query I use:

14 October 2016

Recently, we encountered a special situation where we needed to have an environment variable that consisted of the user's email address. That prompted me to write the following script that will do just that. The script needs to be executed as the user. I set it up in the logon script and hid the PowerShell script. This script was executed on Windows 10 machines, so I cannot guarantee it will execute on other OS versions.

NOTE: This script requires RSAT to be installed. in order to utilize the ActiveDirectory module.

04 October 2016

Recently, the firm started converting outlook over to cached mode. As we are converting machines, we needed a report for how many of them are done and how many are still in Online mode.

I found the some great info here on how to get the information from the exchange logs. The first thing that needs to be done is to retrieve the exchange logs from the directory where they reside on each exchange server. If the exchange servers have more than one drive, make sure you are looking on the right one. The logs are located here: %PROGRAMFILES%\Microsoft\Exchange Server\V14\Logging\RPC Client Access. You will want to copy them into the same directory as this script resides. I appended all of the logs into a single log file. The script will filter out duplicates.

I have included examples in the script documentation on command line executions of this script.